FEATURED ARTICLES

Have you ever heard the term Social Engineering? It sounds complicated, but it’s a simple method used by scammers to obtain your personal information by applying emotional triggers during a phone call, text, or email.

One of the best social engineering tactics cybercriminals use is to keep us from thinking critically, usually by targeting our emotions.

We, as humans, far too often make decisions based on emotions instead of facts. An entire field of study on this concept is called “behavioral economics.” Fortunately, if we know the emotional triggers to look for, we can successfully spot and stop most social engineering attacks.

We’ve listed four of the most commonly used emotional triggers. Cybercriminals combine these emotions in the same email, text, social media post, or phone call, making it much more effective.

Four Emotional Triggers Used by Cyber Attackers

1. Urgency

Urgency is one of the most common emotional triggers, as it’s so effective. Cybercriminals often use fear, anxiety, scarcity, or intimidation to rush you into making a mistake. Take, for example, an urgent email from your mortgage lender requesting sensitive documents to be sent to them right away when, in reality, it’s a cybercriminal pretending to be your lender. Or perhaps you get a text from a cybercriminal pretending to be the government informing you that your taxes are overdue and you must pay or go to jail.

2. Trust

Attackers may use a trusted name or brand to convince you to take action. For example, an email pretending to be from a financial institution, merchant, well-known charity, trusted government organization, or even a business partner you know. Just because an email or text uses a name of an organization you know and their logo does not mean the message came from them.

3. Helpfulness

Most of us are taught to be helpful and duteous from a young age. Cybercriminals recognize our willingness to help others and use it against us during social engineering attacks. Cybercriminals typically seek out customer or financial service agents because their helpful mindset makes them choice targets. For example, a malicious attacker may begin a phone conversation with the statement, “I really need your help,” or, “I’m hoping you can help me.” The target feels sympathy, relating to the feeling of needing help, and now wants to be helpful. Though simple, this tactic is remarkably effective in getting the target to divulge protected information.

4. Empathy/Compassion

Cybercriminals will take advantage of your goodwill. For example, after a disaster appears on the news, they will send millions of malicious emails pretending to be a charity serving the victims.

How to Protect Yourself from Social Engineering Attacks

Use Critical Thinking – The most powerful weapon against social engineering attacks is critical thinking. Given the emotional nature of these attacks, there may not always be a specific tool or process that can prevent us from falling victim to human vulnerability. However, being aware of such vulnerabilities lets you pause and consider the request.

Ask yourself:

• Why are they asking this of me?
• Is this request reasonable or unnecessarily urgent?
• Is this request contrary to how I’ve handled matters like this?

Scrutinize the Communication – Look at the email domain and see if there is anything off about the sender’s email. For example, is it a supposed merchant email but from a Gmail account? Is there an extra letter, number, or symbol in the sender’s address that would not typically be there?

Review the communication carefully. Are there any misspellings or incorrect grammar in the communication? It can be as apparent as a missed word or subtle as a plural word when it should be singular.

Is the sender asking you to take action? Most attackers will ask you to take immediate action by clicking on a link or calling a bogus number provided.  

Authenticate the Sender or Caller – If you receive an unexpected email from a known sender containing attachments or links and the email generally seems out of character, contact the sender through a trusted alternate contact method (do not reply to the email) to verify the authenticity of the email.

Cybercriminals will often spoof phone numbers to make it appear they are calling from a trusted number. Remember, a legitimate caller will not ask you for your social security number, account number, login information, or authentication code to access your account. If you’re suspicious of the caller, don’t give any information, hang up and call the alleged company directly.

Staying alert to scams can help protect your personal and financial information from cybercriminals. Read Keeping Your Data Safe Online for more ways to protect yourself from cyber attacks.